If you don't know where to start, I would resume it in one point: VALIDATE ALL YOUR INPUTS: check every parameter from GET/POST HTML forms, from URLs, and check that everything you send to the database has not malicious characters.
I'd appreciate it if you pronounced my name correctly. Pinhead, with a silent "H". Petite ad:
a bit of art, as a gift, the permaculture playing cards